privacy

We all like to think we’re unique, but when it comes to remaining anonymous online that’s probably not such a good idea. By now, it’s common knowledge that advertising firms, three-letter agencies, and who-knows-who-else want to know what websites you’re visiting and how often. Persistent tracking cookies, third-party cookies, and “like” buttons keep tabs on you at all times.

For whatever reason, you might want to browse anonymously and try to plug some of the obvious sources of identity leakage. The EFF and their Panopticlick project have bad news for you.

The idea behind Panopticlick is simple: to try to figure out how identifiable you are even if you’re not accepting cookies, or if you’ve disabled Flash, or if you’re using “secure” browsers. To create a fingerprint of your browser, Panopticlick takes all the other little bits of identifying information that your browser gives up, and tries to piece them together.

For a full treatment of the project, see this paper (PDF). The takeaway from the project is that the information your browser gives up to servers can, without any cookies, specifically identify you.

For instance, a server can query which plugins your browser supports, and if you’ve installed anything a tiny bit out of the ordinary, you’re fingerprinted. Your browser’s User Agent strings are often over-specific and tell which browser sub-sub-sub version you’re running on which OS platform. If you’re running Flash, it can report back which fonts you’ve got installed on your system. Any of these can be easily as rare as one-in-a-million. Combining them together (unless they’re all highly correlated) can fingerprint you uniquely.

You can’t necessarily win. If you disable Flash, the remote site doesn’t get your font list, but since only one in five browsers runs with Flash disabled, you’re still giving up two bits of information. If you run a “privacy-enhancing” niche browser, your chances of leaving a unique fingerprint go through the roof unless you’re also forging the User Agent strings.

I ran the Panopticlick experiment twice, once with a Firefox browser and once with an obscure browser that I actually use most of the time (dwb). Firefox runs a Flash blocker standard, so they didn’t get my font list. But still, the combination of browser plugins and a relatively new Firefox on Linux alone made me unique.

It was even worse for the obscure browser test. Only one in 1.4 million hits use dwb, so that alone was bad news. I also use a 4:3 aspect-ratio monitor, with 1280×1024 pixels at 24-bit color depth, which is apparently a one-in-twenty-four occurrence. Who knew?

Finally, I tried out the Tor browser, which not only routes your traffic through the Tor network, but also removes a lot of the specific data about your session. It fared much better, making me not uniquely identifiable: instead only one in a thousand. (Apparently a lot of people trying out the Panopticlick site ran Tor browser.)

If you’re interested in online anonymity, using something like Tor to obscure your IP address and disabling cookies is a good start. But Panopticlick points out that it may not be enough. You can never use too many layers of tinfoil when making your hat.

It wasn’t long ago that we saw the Echo bloom into existence as a standalone product from its conceptual roots as a smartphone utility. These little black columns have hardly collected their first film of dust on our coffee tables and we’re already seeing similar technology debut on the toy market, which causes me to raise an eye-brow.

There seems to be some appeal towards making toys smarter, with the intent being that they may help a child learn while they play. Fair enough. It was recently announced that a WiFi enabled, “Hello Barbie” doll will be released sometime this Fall. This new doll will not only be capable of responding to a child’s statements and questions by accessing the Internet at large, it will also log the likes and dislikes of its new BFF on a cloud database so that it can reference the information for later conversations. Neat, right? Because it’s totally safe to trust the Internet with information innocently surrendered by your child.

Similarly there is a Kickstarter going on right now for a re-skinned box-o-internet for kids in the shape of a dinosaur. The “GreenDino”, is the first in a new line called, CogniToys, from a company touted by IBM which has its supercomputer, Watson, working as a backbone to answer all of the questions a child might ask. In addition to acting as an informational steward, the GreenDino will also toss out questions, and upon receiving a correct answer, respond with praise.

Advancements in technology are stellar. Though I can see where a child version of myself would love having an infinitely smart robot dinosaur to bombard with questions, in the case of WiFi and cloud connectivity, the novelty doesn’t outweigh the potential hazards the technology is vulnerable to. Like what, you ask?

Whether on Facebook or some other platform, adults accept the unknown risks involved when we put personal information out on the Internet. Say for instance I allow some mega-corporation to store on their cloud that my favorite color is yellow. By doing so, I accept the potential outcome that I will be thrown into a demographic and advertised to… or in ten years be dragged to an internment camp by a corrupt yellow-hating government who subpoenaed information about me from the corporation I consensually surrendered it to.

The fact is that I understand those types of risks… no matter how extreme and silly they might seem. The child playing with the Barbie does not.

All worst case scenarios of personal data leakage and misuse aside, what happens when Barbie starts wanting accessories? Or says to their new BFF something like, “Wouldn’t we have so much more fun if I had a hot pink convertible?”

Hackaday has posted Terms of Use and Privacy Policy documents which you should read. These can also be accessed through the Policies Page which is linked in the footer. We’ve edited this post to take up less room since it will be sticky for a few days. Original text and updates after the jump.

Your web traffic is being logged at many different levels. There are a few different options to re-implement your privacy (living off the grid excluded), and the Tor network has long been one of the best options. But what about when you’re away from you home setup? Adafruit has your back. They’ve posted a guide which will turn a Raspberry Pi into a portable Tor proxy.

The technique requires an Ethernet connection, but these are usually pretty easy to come by in hotels or relatives’ homes. A bit of work configuring the Linux network components will turn the RPi into a WiFi access point. Connect to it with your laptop or smartphone and you can browse like normal. The RPi will anonymize the IP address for all web traffic.

Leveraging the Tor network for privacy isn’t a new subject for us. We’ve looked at tor acks that go all the way back to the beginnings of Hackaday. The subject comes and goes but the hardware for it just keeps getting better!

[dimovi] had a spare LCD monitor sitting around and thought it would be great to convert it into a “privacy” monitor.

The process is simple enough for anyone comfortable with disassembling electronics. He took apart the monitor’s plastic frame, cutting out the polarized film with a utility knife. Once the film was removed, he spent some time removing the film adhesive from the glass panel using a combination of Oops cleaner and paint thinner.

He reassembled the monitor, which now shines a bright white regardless of what is actually being displayed on the screen. He removed the lenses from a pair of theater 3D glasses, replacing the plastic with the film he removed from the monitor.

Now, [dimovi] is the only one who can see what’s he is doing on his computer, which is just the way he likes it.

While there’s not a lot of magic going on behind the process, we think it’s a neat way to reuse an old monitor.

Most people tend to enjoy a certain modicum of privacy. Aside from the data we all share willingly on the web in the form of forum posts, Twitter activity, etc., people generally like keeping to themselves.

What would you think then, if you found out your iPhone (or any iDevice with 3G) was tracking and logging your every movement?

That’s exactly what two researchers from the UK are claiming. They state that the phone is constantly logging your location using cell towers, placing the information into a timestamped database. That database is not encrypted, and is copied to your computer each time you sync with iTunes. Additionally, the database is copied back to your new phone should you ever replace your handset.

We understand that many iPhone apps use location awareness to enhance the user experience, and law enforcement officials should be able to pull data from your phone if necessary – we’re totally cool with that. However, when everywhere you have been is secretly logged in plaintext without any sort of notification, we get a bit wary. At the very least, Apple should consider encrypting the file.

While this data is not quite as sensitive as say your Social Security number or bank passwords, it is dangerous in the wrong hands just the same. Even a moderately skilled thief, upon finding or swiping an iPhone, could easily dump the contents and have a robust dataset showing where you live and when you leave – all the makings of a perfect home invasion.

Continue reading to see a fairly long video of the two researchers discussing their findings.

Maybe you don’t want that one person that has barged into your life to know your private phone number? Could be a salesperson or a co-worker who you aren’t that impressed with, but have to get in contact with. Check out inumbr.

inumbr is a free online service that gives US users the ability to set up a unique phone number, have it forwarded to any number within the US and then have it set to expire without a trace when finished with it. The unique inumbr’s are never reused, and can be extended if longer terms are required. Users choose from a list of 22 area codes from major US cities like Chicago, Los Angeles and New York, select an expiry date and set a number that it should be forwarded to. When the term is up, the number is expired from the system, and never used again for any other user. If you wish to use the number at a later date, you can log into the inumbr system and reactivate it.

As we are becoming more and more mobile and security conscious, the desire for these types of services grows. A phone number can now be given out at will, with security and privacy remaining intact. Google Voice is a major player in this arena. A somewhat similar service, they allow for a unique number with voice mail to forward to other numbers at will, creating a masked or unidentified private number that can be used to give out to 3rd parties. inumbr makes this process simpler with the ability to cut off and reactivate numbers as desired.